The Hacker News — Cyber Security, Hacking, Technology News

Yesterday, the most popular RSS reader Feedly was down as a result of a large scale distributed-denial-of service (DDoS) attack carried by the cybercriminals to extort money.

On Wednesday, the Feedly was temporarily unavailable for its users. Feedly posted details of the attack at 5:00 AM ET on its blog saying that they were under a Distributed Denial of Service (DDoS) attack and cyber-criminals were demanding money in return for returning the service to its normal operations.

“Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop,” Edwin Khodabakchian, founder and CEO of Feedly said in a statement on Wednesday. He also expressed regret, “We want to apologize for the inconvenience. Please know that you data is safe and you will be able to re-access your feedly as soon as the attack is neutralized.”

Feedly is a very popular RSS feed service which is available for desktop, iOS and Android devices with around 15 million users and 24,000 paying customers. It is also integrated into hundreds of other third party apps, which offers its users to browse the content of their favorite blogs, magazines, websites and more at one place via RSS feed subscriptions.

Feedly gained its popularity after Google announced the closure of its Google reader service last year. A huge number of RSS Google reader users switched to Feedly. Its popularity and reputation attracts RSS die-hards and cyber-criminals as well.

A San Francisco-based firm confirmed that some bad actors had launched a DDoS attack on its popular site, and were demanding a ransom money to restore the service. But the company refused to pay the amount to criminals which is really a matter of appreciation.

“We refused to give in and are working with our network providers to mitigate the attack as best as we can, ” said Edwin Khodabakchian. He added, “We are working in parallel with other victims of the same group and with law enforcement.”

WHAT IS DDoS ATTACK?

For those who are not familiar, a Distributed Denial-of-Service (DDoS) attack is one in which multiple compromised systems attacks a single target system or service to make it unavailable to its intended users. The flood of incoming requests essentially forces the target system or service to shut down, thereby denying service to the system to its legitimate users.

According to the company, the hackers have compromised Feedly’s network resources, but they haven’t gained access to any of its servers, ensuring its users that their data is safe.

FEEDLY TIME-OUT

At the time of writing, the website was still unavailable with visitors greeted by error messages including ‘408 Request Timeout' and ‘Error 502 Timeout'. But latter, the website informed its users that there is no issue with their browser or the website's CloudFlare content delivery network, whereas the host domain was unreachable at the time.

After few hours of the attack confirmation, Feedly said it had made some changes to its infrastructure on bringing the website online again. "However, these things take some time to put into place and it may still be a few more hours before service is restored," the company said. "Thank you so much for your patience and for sticking with us."

The popular online notes and web clippings service Evernote suffered a similar attack. It is not yet known whether the two are linked, but Feedly and Evernote work closely together.

RECORD-BREAKING DDoS ATTACKS

DDoS attackers have discovered more powerful ways to attack a web service by exploiting Internet protocols such as DNS, NTP and even SNMP which allow cybercriminals to carry out record breaking DDoS attacks with the use of a little skill and relatively small amount of resources.

Feedly has set up an example for all of us that its really not right to pay the ransom to the bad actors and if you fulfill their demands, you are doing nothing but encouraging them more to carry out more such attacks against you.

The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex with the increase in the skills of attackers and so, has become one of favorite weapon for the cyber criminals to temporarily suspend or crash the services of a host connected to the Internet and till now nearly every big site had been a victim of this attack.

Since 2013, Hackers have adopted new tactics to boost the sizes of Distributed Denial of Service (DDoS) attack known as ‘Amplification Attack’, leveraging the weakness in the UDP protocols. One of the commonly used by hacker is (Domain Name System) DNS Reflection Denial of Service (DrDoS).

WHAT IS DrDoS ATTACK?

The DNS Reflection Denial of Service (DrDoS) technique exploits security weaknesses in the Domain Name System (DNS) Internet protocol. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to the target and the target of the attack receives replies from all the DNS servers that are used. This type of attack makes it very difficult to identify the malicious sources.

MILLIONS OF HIJACKED-ROUTERS AIDING DrDoS ATTACKS

The new research carried out by DNS providers Nominum, provides ISPs with DNS based analytics and monetization solutions, revealed that the DNS-based DDoS amplification attacks have significantly increased in the recent months and hackers are using home as well as small office routers to amplify the bandwidth.

The report claimed that more than 24 million home routers, majority of which (800,000 routers) located in the UK are vulnerable to various firmware flaws, that allow hackers to gain unauthorised access and modifying DNS (Domain Name Server) settings.

This could be exposing ISPs and their users to participate in the massive Internet DNS-based Distributed Denial of Service (DDoS) attacks unknowingly.

In February alone, more than five million home routers were used to generate DDoS attack traffic, and in January, more than 70% of total DNS traffic on a provider’s network was associated with DNS amplification.

The impact on Internet service providers (ISPs) is four times because amplification attacks generates malicious traffic that not only consume bandwidth, but also cause support costs and impact the reputation of the ISPs, Nominum said.

“Existing in-place DDoS defenses do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort,” explained Sanjay Kapoor, CMO and SVP of Strategy, Nominum. “Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies.”

The main reason of the increase in the popularity of DNS amplification or DrDoS attacks is that it requires little skills and efforts to cause major damage. The high attack bandwidth is made possible only as the attackers are using misconfigured domain-name service (DNS) servers known as open recursive resolvers or open recursors to amplify a much smaller attack into a larger data flood.

“Because vulnerable home routers mask the target of an attack it is difficult for ISPs to determine the ultimate destination and recipient of huge waves of amplified traffic,” said Nominum.

RISE IN MASSIVE DDoS ATTACKS

The DDoS techniques have massively increased with the attackers becoming more skillful at working around the network security. A Year back, a massive 300Gbps DDoS attack launched against Spamhaus website that almost broke the Internet. Also earlier this year, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic, striking at the company’s data servers in Europe.

Users are recommended to change the default username and password of their routers and ensure that you have updated router firmware installed with security patches. You router should be accessible only from the local network or LAN.

Several weeks ago we reviewed Incapsula, a Cloud-based Security service which can significantly enhance the security of your website, while also boosting its performance. Following this review we’ve received many responses from our readers who wanted to learn more about Incapsula protection services. Specifically, we were asked to explain more about Incapsula Enterprise plan features. To answer these questions, today we are going to take a look at Incapsula DDoS Protection services.

Distributed Denial of Service attacks

If your business has a web presence, chances are that you’ve already heard about Distributed Denial of Service attacks. In case you didn’t, a Distributed Denial of Service (DDoS) attack is a DoS attack that is usually carried out by a “botnet”, a network of computers acting in concert to overwhelm the server by depleting all available resources.

Recently we all witnessed a large DDos attacks on U.S. banks by Muslim hacker group, an attack which crippled the site, effectively cutting all bank customers from using online services for extended periods of time. In the recent years, such attacks are becoming more and more common and are now targeting even small and medium online business, as well as big and prominent websites.

Just like in HSBC attack, a typical size DDoS can bring down a website and even crush an entire network of servers. Moreover, because it relies on size and brute force rather than on existence of vulnerabilities, DDoS is very hard to prevent and to mitigate. Currently, the only true DDoS protection can be provided by reliable user-identification techniques and by strong server infrastructure.

Incapsula – Complete DDoS Protection

Incapsula DDoS Protection service use both defense techniques, by integrating a Global network of multi-gigabit scrubbing centers with a unique bot (automation) detection technology.

As a result, Incapsula provides complete protection from network (Layer 3 & 4) and application level (Layer 7) DDoS attacks. The effectiveness of Incapsula is clearly demonstrated by the screenshot above which shows the successful mitigation of an escalating DDoS attack. The attacks lasted for an more than an hour and peaked at a destructive 22Gbs volume. As evident from the image above, Incpaula’s network handled this attack well, coming out of it with all of its servers 100% active for 100% of the time.

The other end of this scenario reveal itself in this quote from one of Incapsula’s customers: Witold Radomski, a CTO of the very popular Enjin.com.

“Our network was finally clear from the endless onslaught of crippling UDP & SYN flood attacks. Using Incapsula's dashboard, we were able to see exactly when each attack was happening, and continue delivering service to millions of users during the attack. We also saw a sharp drop in unwanted bot activity, which resulted in a 20% drop in load on our servers.

A key feature we were looking for is a very low false positive rate during mitigation. Incapsula proved to have a near zero false positive rate, and legitimate users had no trouble accessing Enjin websites during prolonged DDOS attacks.”

The second part of this quote is especially revealing as it points to one of Incapsula main strengths. Namely, it’s accurate and un-hindering visitor identification algorithm.

Zero Business Disruption

In addition to the sheer strength and scalability of its network, Incapsula’s other advantage is in the way it performs during the attack. When hit by DDoS, most mitigation services will apply intrusive challenges to website visitors (such as a CAPTCHA, or delay pages) to compensate for the lack of better identification techniques. Of course, such challenges are not a valid option for most commercial sites, they will drive away human visitors who detest such CAPTCHAs and delays.

Recognizing that, Incapsula implements smart identification algorithms that can provide the same level of protection while working seamlessly in the background and allowing immediate access to human visitors, even during the attack. This also deals with another inherent limitation of CAPTCHA and JS challenges, which are not always effective when it comes to direct access to website resources (i.e. downloading an image).

So how does Incapsula identify non-human DDoS agent? I found that Incapsula generally have three types of identification methods, listed in descending preference:

1. Verified Clients: This group includes humans with strong classification characteristics, according to Incapsula Client Profiling. Here you will also verified non-human entities such as search engines and website monitoring tools. This is basically how Incapsula leverages its accumulated knowledge for quick and accurate identification.

2. Challenges and Obstacles: If the visitor is not verifiable the visit will have to undergo a challenge. Challenges are intended to provide the visitor with an opportunity for redemption and are mostly performed seamlessly, with minimal effect on the actual session.

3. Heuristic and Statistical methods Statistical anomalies: By monitoring statistical data, like client requests rate and clustering, the system can identify the most problematic site visitor populations (such as Web Browser that have their cookie support turned off). During DDoS the access rate for these populations will be limited, to provide better support for verified visitors.

Sounds interesting? It should, because by combining strong infrastructure with smart identification algorithms, Incapsula offers complete defense against all types of DDoS threats, including network-based attacks (like SYN or UDP floods) and application attacks that attempt to overwhelm server resources. Of course the service will also block attacks that try exploit application and web server vulnerabilities, like Slowloris.

Reading a 'Note' created by anyone on the Facebook could trick you automatically to do malicious attacks against others unknowingly.

A Security researcher Chaman Thapa, also known as chr13 claims that the flaw resides in 'Notes' section of the most popular social networking site - Facebook, that could allow anyone to launch the distributed denial-of-service (DDoS) attack of more than 800 Mbps Bandwidth on any website.

A Distributed Denial-of-Service (DDoS) attack is one in which multiple compromised systems attacks a single target system or service to make it unavailable to its intended users. The flood of incoming requests essentially forces the target system or service to shut down, thereby denying service to the system to its legitimate users.

While demonstrating the vulnerability on his blog, he explained that Facebook allows its users to include tags inside the post in order to draft a note with beautiful related images from any source.

Facebook basically downloads external images from the original source for the first time only, and then cache them, but if the image url have dynamic parameters, then Facebook cache mechanism could be bypassed to force the Facebook servers to download all included images each time whenever anybodys open the note in its browser.

'Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.' he said.

DDoS FACTOR, A SCENARIO

Let's suppose if you want to DDoS a website target.com, that have an image of 1 MB Size on its server. An attacker can create a Facebook Note with some text, including same image multiple times with dynamic parameters, i.e.

This way one can force Facebook servers to load 1 mb of file 1000 times in one pageview and if 100 Facebook users are reading the same crafted note at the same time, then Facebook servers will be forced to download 1 x 1000 x 100 = 100,000 Mb or 97.65Gb bandwidth within few seconds from the targeted servers.

400 MBPS DDoS ATTACK DEMO

Researcher demonstrated the proof-of-concept with 400 Mbps attack, by attacking on his own web server. Stats shown below:

The factor and danger of DDoS attack could be even higher when the image is replaced by a pdf or video of larger size, in case Facebook would crawl a huge file but the user gets nothing.

Facebook allows a user to create maximum of 100 Notes in a short span of time and each Note could support more than 1000 links, but because there is no captcha for the Facebook Notes creation, so all this operation can be performed automatically and an attacker could easily creates hundreds of notes using multiple users at the time of performing attack.

"It seems there is no restriction put on Facebook servers and with so many servers crawling at once we can only imagine how high this traffic can get" he concluded.

STILL UNPATCHED AND DON'T EXPECT ANY PATCH FROM FACEBOOK

Unfortunately, Facebook has no plans to fix this critical vulnerability, "In the end, the conclusion is that there's no real way to us fix this that would stop attacks against small consumer grade sites without also significantly degrading the overall functionality," Facebook replied to the researcher.

Similar kind of attack was noticed in mid of 2011 year when a security penetration tester at Italian security firm AIR Sicurezza Informatica discovered flaws in Google's Plus servers that allowed hackers to exploit the search giant's bandwidth and launch a distributed denial-of-service (DDoS) attack on a server of their choice.

Two British members of the notorious Lulz Security hacking collective have pleaded guilty to a slew of computer crimes, in the latest blow against online troublemakers whose exploits have grabbed headlines and embarrassed governments around the world.

LulzSec members Ryan Cleary, 20, and Jake Davis, 19, pleaded guilty in a London court to launching distributed denial of service (DDoS) attacks last year against several targets, including the CIA, the Arizona State Police, PBS, Sony, Nintendo, 20th Century Fox, News International and the U.K.'s Serious Organized Crime Agency and National Health Service

Ryan Cleary is from Essex, United Kingdom who was arrested by Metropolitan Police on June 21 2011 and charged with violating the Computer Misuse Act and the Criminal Law Act 1977. He was accused of being a member of LulzSec but was not a member of the said group although he admitted that he did run one of the IRC channels that they used for communicating. He also faces prosecution of joining other members of LulzSec in using hacked computers, known as a "botnet", to steal confidential information, deface websites or attack servers.

Jake Davis, an 18-year old man suspected of being "Topiary" was arrested in the Shetland Islands on July 27, 2011. On July 31, 2011, the man was charged with five offences including unauthorised computer access and conspiracy to carry out a distributed denial of service attack on the Serious Organised Crime Agency's website. Scotland Yard later identified the man arrested as Yell, Shetland resident Jake Davis.

Police confiscated a Dell laptop and a 100-gigabyte hard drive that had 16 different virtual machines. The hard drive also contained details relating to an attack on Sony and hundreds of thousands of email addresses and passwords were found on the computer. A London court released Davis on bail under the conditions that he live under curfew with his mother and have no access to the Internet. His lawyer Gideon Cammerman stated that, while his client did help publicize LulzSec and Anonymous attacks, he lacks the technical skills to have been anything but a sympathizer.

The name Lulzsec is a combination of that internet slang word 'lulz' or 'lols', a distorted acronym meaning 'laugh out loud', and an abbreviation of 'security'.

Their method was to flood websites with so much traffic they would crash, otherwise known as distributed denial of service (DDoS) attacks.Davis and Cleary plotted to carry out the attacks with other unknown members of internet groups Anonymous, Internet Feds and LulzSec. To achieve this, they used a remotely controlled network of "zombie" computers, known as a "botnet", capable of being programmed to perform the attacks.ax

Davis admitted conspiring to carry out a “denial of service” attack on the Serious Organised Crime Agency.He also admitted hacking the NHS website.Cleary confessed to four charges, including hacking into US Air Force Agency computers, based at the Pentagon.

The hackers repeatedly humbled law enforcement stealing data from FBI partner organization InfraGard, briefly jamming the website of Britain's Serious and Organized Crime Agency, and publishing a large cache of emails from the Arizona Department of Public Safety.

But both denied two charges that they had posted "unlawfully obtained confidential computer data" to sites such as the Pirate Bay and Pastebin.

Members of LulzSec and its reputed leader, known as Sabu, were some of the best known in the movement. But in March, officials in the United States unmasked Sabu as an F.B.I. informant named Hector Xavier Monsegur, and officials on both sides of the Atlantic arrested roughly half a dozen people who were suspected of collaborating.

Alleged co-hackers Ryan Ackroyd, 25, and a 17-year-old A-level student, from south-London, deny their involvement in the attacks and will stand trial with Davis and Cleary in April 2013.

During the weekend China's Internet was taken down by a powerful distributed denial of service (DDoS) attack on the .cn domain slowed and blocked Internet access inaccessibility for hours.

Security expert clarified that China could have been perpetrated by sophisticated hackers or by a single individual. The China Internet Network Information Center [CINIC] reported that the attack began at 02:00 local time on Sunday with a peek at 04:00 that made it the largest DDoS attack the country’s networks have ever faced. The CCINIC is responsible for registering sites in the .cn domain.

Before malicious coders can launch a DDoS attack, they must infect the computers of unsuspecting users, often by tricking people into installing malware on their computers.

The China Internet Network Information Center confirmed the attack with an official statement informing internet users that it is gradually restoring web services and that will operate to improve the security level of the Internet infrastructure of the country to prevent and mitigate further attacks.

Following the translated announcement: "8 May 25 at 0:00 or so, the State DNS node Denial of Service attacks, the China Internet Network Information Center disposal, to 2 pm, the service is restored to normal, early morning 3 through the official micro notice. Morning four o'clock, the state once again under DNS node biggest ever denial of service attacks, some websites analytical affected, leading to slow or interrupt access.

In the notice, the attack continues, national domain name resolution services have been gradually restored. Ministry of Industry and Information Technology launched the "Domain Name System Security specific contingency plans" to further the protection of national domain name resolution services. China Internet Network Information Center, the affected user apologized to launch cyber attacks on the Internet stable behavior affect condemned. China Internet Network Information Center will work with the sector to work together to continue to enhance the service capabilities."

The Wall Street Journal was the first media agency that reported the important outage, the official source of Chinese Government confirmed that its network suffered the biggest distributed denial-of-service attack ever.

It's not currently known who attacked the Chinese domain or the motivations, CloudFlare CEO Matthew Prince said that there is no certainty that behind the attack there is a group of hackers, he added that "it may have well been a single individual".

Prince's affirmation is reinforced by the possibility to retrieve on the underground market a huge quantity of DIY DDoS hacking tools that could allow the arrangement of a DDoS attack, it must be considered also the possibility to rent a botnet to hit a specific target for a limited period, both options accessible practically also to single individuals and small gangs.

In recent months, meanwhile, the Chinese and U.S. The government has gone back and forth with hacking accusations.

The DDoS techniques have massively increased with the attackers becoming more skillful at working around the network security. A massive 300Gbps DDoS attack launched against Spamhaus website almost broke the Internet a year ago and also earlier this year, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic.

Simple Network Management Protocol (SNMP) is a UDP-based protocol which is commonly known and often used to manage network devices. SNMP is typically used in devices such as printers, routers and firewalls that can be found in the home and enterprise environments as well.

Just as DNS amplification attacks, SNMP could also be used in Amplification attacks because a cyber criminal can send a small request from a spoofed IP address in order to sent a much larger response in return.

Over the past month, researchers have spotted 14 Distributed Denial-of-Service (DDoS) attack campaigns that have made use of SNMP amplified reflection attacks. The attacks targeted a number of different industries including consumer products, gaming, hosting, non-profits and software-as-a-service, mainly in the United States (49%) and China (18.49%).

The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex and so has become one of favorite weapon for the cyber criminals to temporarily suspend or crash the services of a host connected to the Internet.

"The use of specific types of protocol reflection attacks such as SNMP surge from time to time," said Stuart Scholly, the senior vice president and general manager of the Security Business Unit at Akamai. "Newly available SNMP reflection tools have fueled these attacks."

The attack only targets the devices that runs an older version of SNMP, i.e. version 2, which by default is open to the public Internet unless the feature is manually disabled. The latest version of SNMP, version 3 is more secure management protocol.

The cyber criminals made use of affective DDoS tools in an effort to automate the GetBulk requests against SNMP v2 that caused a large number of networked devices to send their entire stored data at once to a target in order to overwhelm its resources.

The attack is nothing but a distributed reflection and amplification (DrDoS) attack that allows an attacker to use a little skill and relatively small amount of resources in an attempt to create a larger data flood.

"Network administrators are encouraged to search for and secure SNMP v.2 devices," added Scholly. "The Internet community has been active in blacklisting the devices involved in recent DDoS attacks, but we also need network administrators to take the remediation steps described in the threat advisory. Network administrators can help prevent more devices from being found and used by malicious actors."

Since 2013, Hackers have adopted new tactics to boost the sizes of Distributed Denial of Service (DDoS) attack which is also known as Amplification Attack’, leveraging the weakness in the UDP protocols. The most common is the (Domain Name System) DNS and (Network Time Protocol) NTP Reflection Denial of Service attack, but now cyber criminals have manage to use (Simple Network Management Protocol) SNMP to cause major damage.

Wikileaks suffered another distributed denial of service (DDoS) attack Tuesday morning, reports Fast Company. This attack was much more intense than Sunday's but still did not come close to actually shutting down the site.
A computer hacker known as “The Jester,” shocked officials when he claimed to be behind the cyber attack that disabled the WikiLeaks website Sunday morning, just before it released hundreds of thousands of classified U.S. embassy cables to the public.
The Jester, an ex-soldier justified his hacking by accusing the website of “attempting to endanger the lives of our troops, 'other assets' & foreign relations." The self-proclaimed “hacktivist for good” looked to the Web to continue combating terrorism and organizations that appear to back Islamic extremism after ending his military service.
Cyber security expert Mikko Hypponen of F-Secure told CNN he believed The Jester was, in fact, behind the attack.
WikiLeaks had already distributed the information to numerous sources, saying in a Twitter feed, “El Pais, Le Monde, Speigel, Guardian & NYT will publish many US embassy cables tonight, even if WikiLeaks goes down.”
Though the WikiLeaks site was down for several hours Sunday, it was up and running Monday morning. Despite The Jester’s attempt to hinder WikiLeaks from distributing these classified documents, the site made its latest and largest leak shortly after the attack.

DDoS attackers attempted to bring down an Banking services earlier this week using one of the largest Distributed denial of service attack using DNS reflection technique.

Prolexic, the global leader in Distributed Denial of Service (DDoS) protection services, announced that it has successfully mitigated the largest DNS reflection attack ever recorded, which peaked at 167 Gigabits per second (Gbps). The company did not name the target of the digital assault.

DNS-reflection was the attack method used in Operation Stophaus, an attack waged in March by The Spamhaus Project, a Geneva-based not-for-profit organization dedicated to fighting Internet spam. When Spamhaus was assaulted by a vast 300Gbps peak DNS reflection attack, it engaged the help of a content delivery network (CDN) called CloudFlare to help defend itself.

The DNS Reflection Denial of Service (DrDoS) technique exploits security weaknesses in the Domain Name System (DNS) Internet protocol. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to the target.

The target of the attack receives replies from all the DNS servers that are used. This type of attack makes it very difficult to identify the malicious sources.

Prolexic’s digital forensics confirmed that 92 percent of the machines participating in the attack were open DNS resolvers, sourcing from port 53, which represented a malformed DNS response. The security provider recommends that all organizations proactively validate their DDoS mitigation service to reduce possible downtime, despite the size of the attack.

Many services can be exploited to act as reflectors, some harder to block than others. DNS amplification attack involve a new mechanism that increased the amplification effect, using a much larger list of DNS servers than seen earlier.

A flaw discovered in several widely used BitTorrent applications, including uTorrent, Vuze and Mainline, could be used to carry out a devastating distributed denial of service (DDoS) attack that makes it very easy for a single undetectable hacker to bring down large sites.

A new research by Florian Adamsky of the City University London shows that open BitTorrent protocol can be exploited to carry out Distributed Reflective Denial of Service (DRDoS) attacks.

The bitTorrent protocol is a file-sharing protocol used by Millions of active online users at any given point in the day to exchange files over the Internet.

DRDoS attack is a more sophisticated form of conventional DDoS attack where open and misconfigured DNS (Domain Name System) can be used by anyone to launch high-bandwidth DDoS attacks on target websites.

In a paper, titled "P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks," the researchers shows that the weakness in various BitTorrent protocols can be exploited to amplify Denial of Service attacks.

The researchers conducted a test in which they were able to exploit BitTorrent peers to flood a third-party target with data traffic up to a factor of 50 to 120 times bigger than the original request.

Two years ago, a massive 300Gbps DDoS attack launched against Spamhaus website almost broke the Internet. Also last year, hackers succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic.

BitTorrent has been notified about the flaws. The company has already patched some of its applications in a recent beta release. However, uTorrent is still vulnerable to a DHT attack. Vuze has also been notified about the vulnerability and has yet to release a patch.

'Operation Payback' is taking a new twist, as attackers have begun a new fax-based campaign against some of the companies that cut ties with WikiLeaks.

Hacktivists with 'Anonymous' are encouraging members to send faxes to Amazon, MasterCard, PayPal, Visa, Tableau Software and Moneybookers in a bid to launch a fax-based version of denial-of-service, according to Netcraft. During the past several days, the group has launched distributed-denial-of-service (DDoS) attacks against Websites belonging to a number of companies and organizations, including MasterCard and Visa.

"This latest campaign by the Anonymous group is analogous to the distributed denial of service attacks it has been carrying out against websites over the past week," blogged Netcraft's Paul Mutton. "In essence, this has turned into a DDoS attack against fax machines. The group started the fax-attacks (Dec. 13) at 13:00 GMT and published a list of target fax numbers in their call to arms."

"The Anonymous collective are being encouraged to send faxes of random WikiLeaks cables, letters from Anonymous, Guy Fawkes, and the WikiLeaks logo to the target fax numbers all day long," he continued. "It is not clear how many people are taking part in the attacks, but an IRC channel set up to provide information about the campaign contained 73 users just a few hours after the fax-attacks started."

But there is a saying about glass houses and stones, and the digital version is playing out in this case as well, as Anonymous has found itself under attack for supporting WikiLeaks, Mutton wrote.

"Many users were knocked off its IRC network after its servers came under attack (Dec. 13)," he blogged, adding the anonops.eu domain that used to announce the locations of IRC servers and the current attack target) came under attack as well.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

After successful in launching reflection and amplification Distributed Denial-of-Service (DDoS) attacks by abusing various protocols such as DNS, NTP and SMTP, hackers are now abusing Simple Service Discovery Protocol (SSDP) – part of the UPnP protocol standard – to target home and office devices, researchers warned.

SSDP is a network protocol based on the Internet Protocol Suite that comes enabled on millions of networked devices, such as computers, printers, Internet gateways, Router / Wi-Fi access points, mobile devices, webcams, smart TVs and gaming consoles, to discover each other and automatically establish working configurations that enable data sharing, media streaming, media playback control and other services.

FLAW IN UPnP USED IN AMPLIFICATION DDoS ATTACK

Prolexic Security Engineering & Response Team (PLXsert) at Akamai Technologies have issued a warning that the devices use in residential or small office environments are being co-opted into reflection and amplification distributed denial-of-service (DDoS) attacks since July that abuse communications protocols enabled on UPnP devices.

"The rise of reflection attacks involving UPnP devices in an example of how fluid and dynamic the DDoS crime ecosystem can be in identifying, developing and incorporating new resources and attack vectors into its arsenal," the advisory states. "Further development and refinement of attack payloads and tools is likely in the near future."

The weakness in the Universal Plug-and-Play (UPnP) standard could allow an attacker to compromise millions of its consumer and business devices, which could be conscripted by them to launch an effective DDoS attack on a target.

Attackers have found that Simple Object Access Protocol (SOAP) – protocol used to exchange sensitive information in a decentralized, distributed environment – requests “can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target.”

This UPnP attack is useful for both reflection attacks, given the number of vulnerable devices, and amplification as researchers estimate that it can magnify attack traffic by a factor of 30, according to the advisory.

OVER 4.1 MILLIONS DEVICES VULNERABLE

According to the security researchers, about 38 percent of the 11 million Internet-facing UPnP devices, i.e. over 4.1 million devices, in use are potentially vulnerable to being used in this type of reflection DDoS attack.

"The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch," said Akamai security business unit senior vice president and general manager Stuart Scholly. "Action from firmware, application and hardware vendors must occur in order to mitigate and manage this threat."

MAJOR TARGETED COUNTRIES

South Korea has the largest number of vulnerable devices, followed by the United States, Canada, and China, according to the advisory.

This isn’t the first time when a security flaw in UPnP has allowed attackers to target home and business devices, back in January 2013, a flaw in UPnP exposed more than 50 millions computers, printers and storage drives to attack by hackers remotely.

The Distributed Denial of Service (DDoS) attack is the one of favourite weapon for the hackers to temporarily suspend services of a host connected to the Internet and till now nearly every big site had been a victim of this attack.

Since 2013, Hackers have adopted new tactics to boost Distributed Denial of Service attack sizes, which is known as ‘Amplification Attack’, that provide the benefits of obscuring the source of the attack, while enabling the bandwidth to be used to multiply the size of the attack.

Just yesterday, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic, striking at the company’s data servers in Europe.

“Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating,” CloudFlare CEO Matthew Price said in a tweet. “Someone’s got a big, new cannon. Start of ugly things to come,”

This massive DDoS attack was greater than ever in history of the Internet, and larger than previous DDoS record-holder Spamhaus DDoS attack i.e. 300Gbps, that almost broke the Internet.

Attackers leveraged weaknesses in the Network Time Protocol (NTP), which is used to synchronize computer clocks, but hackers are abusing the NTP servers by sending small spoofed 8-byte UDP packets to the vulnerable server that requests a large amount of data (megabytes worth of traffic) to be sent to the DDoS's target IP Address.

The frequency of NTP reflection attacks has grown in recent months. While researchers have long-predicted that NTP might someday become a great vector for DDoS attacks and ideal DDoS tool, and the trend has recently become popular, causing an issue for some gaming websites and service provider.

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publicly accessible to at least 4.2.7. Until all the misconfigured NTP servers are cleaned up, attacks of this nature will continue.

Update: The CloudFlare team has released more technical details on the above 400Gbps NTP amplification DDoS Attack. Hackers abused 4295 vulnerable NTP server, running on 1,298 different networks.

The Spoofed UDP packet was amplified 206-times larger than the request by exploiting MONLIST command vulnerability on open ntpd servers. "An attacker with a 1Gbps connection can theoretically generate more than 200Gbps of DDoS traffic."

That means, Just by using 2Gbps Internet Connection and exploiting 4,529 NTP servers, Hacker DDoSed websites with 400Gbps bandwidth. "On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network." they said.

CloudFlare has also release a list of all Networks with Naughty NTP Servers Used in DDoS Attack, rather than publishing the complete list of IP addresses. ,"At this time, we've decided not to publish the full list of the IP addresses of the NTP servers involved in the attack out of concern that it could give even more attackers access to a powerful weapon."

Till Now the Internet was encountering the traditional Distributed Denial of Service (DDoS) attacks, where a large number of compromised systems use to flood servers with tremendous amount of bandwidth; but in past few months we have noticed massive change in the techniques of DDoS attack.

Hackers are using creative, but evil DDoS techniques such as NTP and DNS Amplification DDoS attacks. Last month we have seen that how cybercriminals abused a vulnerability in one of the biggest Chinese video hosting website Sohu.com to convert their millions of visitors to participate into the Layer 7 (Application Layer) DDoS attack with 20 Million requests.

According to the new report released by a US based security solutions provider Incapsula, another interesting DDoS attack activities have been noticed by the researchers in which an attacker abused two major anti-DDoS Service providers to perform massive DDoS attack on other websites.

Its really EPIC that the services who should protect websites from DDoS attack, itself compromised to perform DDoS on other web services.

The researchers at the security firm noticed a surge of massive DNS DDoS attack on one of its client, peaking at approximately 25Mpps (Million packets per second).

“With multiple reports coming from different directions, and with several large scale attacks on our own infrastructure, we are now convinced that what we are seeing here is an evolving new trend - one that can endanger even the most hardened network infrastructures,” reads the report.

This time, hacker used the DNS DDoS attack, which is totally different and more responsive from the previously most commonly used DNS amplification attack by the hackers, both in their methods of execution and in the type of trouble they aim to deliver.

DNS amplification attack is an asymmetrical DDoS attack in which the attacker set the source address to that of the targeted victim by using spoofed Internet Protocol (IP) of the target, which means the target receives the replies from all the DNS servers that are used, making it the recipient of much larger DNS responses. “With these attacks the offender’s goal is to achieve network saturation by continuously exhausting the target’s bandwidth capacity,” Incapsula wrote.

But its totally different in the case of DNS DDoS attack as DNS floods are symmetrical DDoS attacks in which the attacker tries to exhaust the server-side assets (for e.g., memory or CPU) with the large number of UDP requests generated by the malicious scripts running on several compromised botnet machines. The packets sends per seconds are even larger in this case compare to DNS amplification attack.

“With DNS amplification, the effectiveness of an attacker’s own resources is increased by anywhere from 300% to 1000%, which means that large attacks could be initiated by relatively small botnets", says the report. “On the other hand, with DNS floods there is no multiplier to speak of at all. This means that, in order to generate a DNS flood at the rate of 25Mpps, the offender needs access to an equally powerful botnet infrastructure.”

By using the same DNS DDoS attack, the hacker succeeded in sending the malicious requests through two different servers at a rate of 1.5 Billion DNS queries per minute, amounting to over 630 Billion requests during the course of the 7 hour-long DDoS attack.

Both the servers used by the attacker belongs to anti-DDoS service providers, one of which is based in Canada and the other in China. After acknowledging the attack, Incapsula informed both the anti-DDoS vendors, which then dropped the responsible clients from using their services.

“Malicious misuse of security solutions is anything but new. However, this is the first time we encountered “rogue” scrubbing servers used to carry out large-scale DDoS attacks. This fact, combined with the inherit danger of non-amplified DNS floods, is what makes these attacks so devastatingly dangerous,” the researchers said.

DNS Amplification DDoS attack could be defended by dropping all unexpected DNS responses to port 53, whereas DNS Flood queries are difficult to differentiate from the legitimate DNS queries, and it is not possible to drop all DNS queries in order to migrate the attack. However this could be filtered when individually processed at the server level, but such process is practically very difficult to execute. Thankfully, the Impact of DNS Flood attack depends upon the capacity of the attacker’s own resources.

As we all have seen that DDoS trend is changing and to perform massive DDoS attacks, hacker are using every tantrum by leveraging the weakness of different protocols and boosting the sizes of Distributed Denial of Service (DDoS) attack.

The connected devices, better known as the Internet of Things, have been attracting the significant interest of, not only users but also cyber criminals that are turning them into weapons for cyber war.

Due to the insecure implementation of Internet-connected embedded devices, they are routinely being hacked and used in cyber attacks.

Yes, Surveillance cameras in shopping malls are being targeted to form a large botnet that can blow large websites off the Internet by launching crippling Distributed Denial-of-service (DDoS) attacks.

THE CAUSE

The crooks made this possible because CCTV camera operators are taking a Lax approach to security and their failure to change default passwords on the devices.

Security researchers from Imperva's Incapsula team first warned about closed-circuit television (CCTV) botnet attacks in March 2014.

However, according to a recent blog post published by Imperva, the DDoS attack now peaked at 20,000 requests per second and originated from nearly 900 CCTV cameras running embedded versions of Linux and the BusyBox toolkit.

MALWARE INFECTED CCTVs

When analyzing one of the compromised cameras located in a shopping center just five minutes from the team's office, the researchers found that the camera was infected with a variant of a known malware program known as…

Bashlite, or Lightaidra or GayFgt, specially designed for ARM versions of Linux.

The most common attack consisted of HTTP GET request floods originating from around 900 CCTV cameras spread around the world.

THE TARGETS

The target of the DDoS attack was a rarely-used asset of a large cloud service, serving millions of users worldwide. However, Imperva did not name the firm targeted.

Notably, all of the compromised cameras monitored by the firm were logged from multiple locations in almost every case, suggesting that several different hackers were abusing the weakness of unsecured CCTV cameras.

Top targeted countries for CCTV botnets around the world include India, China, Iran, Indonesia, US, and Thailand.

Cyber Attacks Leveraging Internet of Things

Internet connected smart devices including traffic and surveillance cameras, street lights, meters, smart pipes, traffic lights, and sensors, are easier to implement, but are also easier to hack due to lack of stringent security measures.

What would it take for hackers to significantly disrupt the US' 911 emergency call system?

It only takes 6,000 Smartphones.

Yes, you heard it right!

According to new research published last week, a malicious attacker can leverage a botnet of infected smartphone devices located throughout the country to knock the 911 service offline in an entire state, and possibly the whole United States, for days.

The attacker would only need 6,000 infected smartphones to launch automated Distributed Denial of Service (DDoS) attacks against 911 service in an entire state by placing simultaneous calls from the botnet devices to the emergency numbers.

However, as little as 200,000 infected mobile phones could knock the 911 emergency call system offline across the entire US.

Where does the Problem Lies?

Researchers from Ben-Gurion University of the Negev's Cyber-Security Research Center say the problem is in the fact that current US Federal Communications Commission (FCC) regulations demand all calls to 911 must immediately be routed to emergency services, regardless of the caller's identifiers.

In other words, mobile carriers re-route all 911 emergency calls to a local Public Safety Answering Point (PSAP) without even verifying the caller's identity or whether the caller is subscribers to the mobile network.

These identifiers could be a phone's International Mobile Subscriber Identity (IMSI) and International Mobile Station Equipment Identity (IMEI) codes, which tell whether the caller is a subscriber to their service and identity of the mobile equipment, respectively.

How can Attackers Carry Out such Attacks?

All an attacker need is a mobile botnet to launch TDoS (Telephony Denial of Service) attacks. The attack can be carried out in two ways:

By infecting smartphones with malware, or

By buying the smartphones needed to launch the TDoS attack.

The researchers Mordechai Guri, Yisroel Mirsky, and Yuval Elovici note in a paper [PDF] that an attacker could exploit cellular network protocols by placing a rootkit or persistent, low-level malware within the baseband firmware of a mobile phone.

The rootkit can then mask and randomize all cellular identifiers, causing the cell phone to have no genuine identification within the cellular networks.

"Such anonymised phones [bots] can issue repeated [911] emergency calls that can not be blocked by the network or the emergency call centers, technically or legally," the team notes in the paper.

Secondly, an attacker could simply buy 6,000 or 200,000 smartphones, which could cost $100,000 or $3.4 Million – a small sum for state-sponsored attackers – to jam 911 emergency system in an entire state or across the whole country respectively.

This TDoS attack should not come as a surprise, as during the 9/11 terror attack on the Twin Towers in New York City, thousands of legitimate callers collectively dialing 911 caused DDoS attacks on both telephony network as well as the emergency reporting system.

Of course, the team did not perform this attack in an actual, nationwide system. It created a small simulated cellular network based on North Carolina's 911 network and attacked it instead.

The team bot-infected Samsung Galaxy S3, S4 and S5 smartphones running Android 4.4 and 5.x operating system to test their work.

How can we prevent such DDoS campaign against our Emergency Services?

Such attacks are currently difficult to block, as PSAPs have no way to blacklist fake calls. Also, blocking at the network level is not possible beyond selectively turning off cellular service in bot-infested areas.

However, researchers suggest some countermeasures that can mitigate such attacks, which includes:

Storing IMEIs and other unique identifiers in a phone's trusted memory region (like ARM-processor design TrustZone), where malware can not alter them.

Since these changes would require government cooperation, security professionals, cellular service providers, emergency services, and others, it is hard to expect such significant changes in reality anytime soon.

For in-depth and detailed information about the attack and possible mitigation procedures for US authorities, you can head on to the research paper [PDF] titled, '9-1-1 DDoS: Threat, Analysis and Mitigation.'

Radware’s Attack Mitigation System Delivers the First Fully Integrated Solution to Fight Cyber Attacks in Real Time

The solution blocks the new breed of sophisticated attacks that target Multiple layers of the IT infrastructure . Today's point security tools for IT infrastructures are not enough to protect against the new wave of sophisticated cyber attacks. That's why Radware (NASDAQ: RDWR), a leading provider of application delivery and application security solutions for virtual and cloud data centers, today announced Radware Attack Mitigation System (AMS), the industry's first fully integrated IT security strategy and portfolio that protects the application infrastructure in real time against network and application downtime, application vulnerability exploitation, malware spread, information theft, Web service attacks and Web defacement.

Available today, Radware's AMS provides the most comprehensive solution to fight multi-vulnerability campaigns — today's sophisticated, headline-grabbing cyber attacks that probe IT targets for weaknesses and strike with parallel assaults across the infrastructure. These attacks are hard to defend against because they are aimed at multiple layers in the IT architecture, particularly against network infrastructure equipment, servers and applications. Examples of multi-vulnerability attacks include high-volume distributed denial of service (DDoS) attacks as well as "low & slow" stealthy attacks, network- and application-based attacks, all of which hit simultaneously at multiple weakness points in the networks while emulating legitimate user behavior making them harder to identify and block.
"The major advance in new threats has been the level of tailoring and targeting — these are not noisy, mass attacks that are easily handled by simple, signature-dependent security approaches. Targeted attacks aim to achieve a specific impact against specific enterprises, and have three major goals: Denial of service -- Disrupting business operations; Theft of service -- Obtaining use of the business product or service without paying for it; and Information compromise -- Stealing, destroying or modifying business-critical information," according to John Pescatore, VP Distinguished Analyst, Gartner, Inc. "Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter or more quickly react to evolving threats, and not focus on what country the attacks are coming from. "
Organizations typically respond to these attacks with separate patches and tools for protection such as anti-DoS, intrusion prevention systems (IPS), Web application firewalls (WAF), network behavioral analysis (NBA), reputation engines, and security information and event management (SIEM) solutions. Radware AMS consolidates these multiple attack detection with mitigation technologies, such as signature detection and network and application behavioral analysis (NABA), to handle malicious application traffic through application-level challenge/response techniques. This gives security managers the ability to identify bots that imitate real user application transactions and block them in real time, avoiding the need to perform rate-based protection that would drop legitimate users along with the attack traffic.
"Nearly all IT security solutions today are designed and deployed as point solutions. That's the problem — they miss the big picture," said Avi Chesla, Chief Technical Officer for Radware. "Thus they cannot make the required context-based security assessment, leaving the network exposed to today's multi-vulnerability attack campaigns.
"Most vendors only specialize as players in a primary solution – providing only WAF, IPS, DoS protection, or network behavioral analysis. Others will offer 'light' version add-ons to incorporate additional defenses. The solution we have launched offers best-of-breed technologies for all of these security modules in a holistic, integrated solution addressing the full gamut of today's evolving security threat landscape. Recent cyber attacks prove that businesses need to plan for the worst case, and that plan mandates the use of Radware's AMS solution," Chesla said.
The ultimate impact of multi-vulnerability attacks on businesses can be staggering, resulting in fraud, defacement, identity theft, leaking of sensitive corporate information, and as seen in many cases over the past year, a complete shutdown of operations. Yet as hackers evolve in sophistication, so too must IT security managers evolve their thinking. Radware AMS can lead a transformative shift in the way the industry approaches IT security from the current, tool-based response to a holistic approach that integrates tools and strategies into a real-time, proactive, attack mitigation solution.
Designed for online businesses, large enterprises, carriers, data centers and managed service providers, Radware's AMS is built on Radware's award-winning DefensePro® network security appliance, AppWall® Web application firewall and APSolute Vision® application and network security management dashboard.
Radware supplements these capabilities by adding the human factor — the professional security consultants of its Emergency Response Team (ERT) who are available around the clock. As literal "first responders" to cyber attacks, Radware's ERT members gained their extensive experience by successfully dealing with some of the industry's most notable hacking episodes, providing the knowledge and expertise to mitigate the kind of attack a business's security team may never have handled.

Global Marketing Campaign

In support of the announcement, Radware is launching its new company blog, which features expert insights on not only security, but also application delivery, mobile data, virtualization, service provider issues and a host of other IT topics. The company is also running a global marketing and advertising campaign to educate end users on how they need to be fully equipped to overcome today's multi-vulnerability attacks and take an offensive posture. The campaign features a Flash game and contest designed to provide players with a fun way to learn about Radware's Attack Mitigation System capabilities while they understand how to cost-effectively neutralize today's distributed attacks. The game, "Radware AMS Threat Race", runs until mid-October and offers contestants the opportunity to win $5,000. For more information and game access, please visit: http://www.radware.com/ams.
For more information on Radware's AMS, go to: http://www.radware.com/Solutions/Enterprise/Security/default.aspx.